1. Field of the Invention
This invention concerns a method and a device to control the access to memory areas attached to applications and software modules of an electronic unit with microprocessor, in particular a microcontroller. The invention is for example applicable to, but not limited to, electronic smartcards.
2. Related Art
The smartcard like all embedded computer systems includes a processor, inputs/outputs and memory which is divided into non-volatile memory generally used to store programs and data, and volatile memory generally used as processing memory. The embedded systems or portable objects and in particular the smartcards are now performing more and more complex functions due, in particular, to the storage of multiple-application programs: these smartcards are designated by the term “multi-application smartcard”.
Regarding the security of multi-application smartcards, isolation of the applications from each other plays an essential role. In a smartcard containing several applications therefore, it is important to be able to deny applications access to data, which does not belong to such applications to prevent malicious use or transmission of information to the outside. For example, it may be necessary to deny a first application access to confidential data belonging to a second application such as cryptographic keys. In particular, because the data is stored permanently in non-volatile memory, it may be necessary to restrict reading and updating to authorized applications only.
In addition, due to the increase in memory capacity and processing power of the smartcards, software architecture is becoming more structured, with functions isolated from each other as modules and distributed on various levels.
For example, therefore, in a software architecture for smartcards, we can identify, as shown on FIG. 1, the core layer “CORE” interfacing directly with the hardware (and comprising in particular the generic non-volatile memory access routines), the system layer “OS” concerning the operating system which manages the shared resources and services, and the application layer “APPLI” grouping various software applications. Each layer can be subdivided into sub-layers and functional modules: the system layer includes, for example, functional modules such as the cryptographic algorithm processing service, management of memory and input/output resources.
In this type of model, an application no longer accesses its data in memory directly, but via functions located in the core and system layers. The problem of restricting access to stored data to authorized applications only arises, in particular, in this context of indirect accesses.
More generally, a multi-layer modular software architecture can be designed in which, firstly, a module calls one or more modules to execute some of its tasks and secondly each module has a program and data stored in non-volatile memory in clearly defined areas, i.e., data for which the handling or use must be restricted to authorized modules only.
Generally, memory protection mechanisms can be produced in a software and/or hardware form for interpreted applications and in a hardware form for executed applications as windows opened on the memory (such as a segmentation device) or as semi-static access matrices. Applications are associated with memory areas either during configuration or when activating an application. Such mechanisms only allow memory access for predetermined code/data area pairs.
For example, with an access matrix, memory pages are associated with applications, when the card is configured, by programming page attributes; the role of the hardware at the time of execution is limited to a simple comparison between the identity of the page “owner” of a page being accessed and the identity of the module trying to access the page (known by the hardware, for example, by the position of the program counter). The disadvantage with these access matrix mechanisms arises from the fact that these mechanisms require a direct relationship between program and data: this relation exists as long as the page owner accesses its data directly (via the microprocessor read/write instructions), but this direct relationship between processing and data disappears in configurations where a module other than the owner of a data area attempts to access the data using the owner's name (“in its name”). Two examples illustrating this situation are (i) a virtual machine which accesses the data of applications “in their names” and (ii) an EEPROM manager module between the application and the non-volatile memory. These, “indirect relation” accesses cannot be protected by access matrix type devices.
The invention aims to overcome the disadvantages of the devices and systems of the known state of the art while meeting the requirements, which arise for example, from “indirect relation” access.
In the context of a multi-layer modular software architecture of a computer system and more particularly, in the following description of an embedded system such as a smartcard, the objective of the invention is therefore to provide a method capable of isolating and protecting memory areas attached to said modules.
Still in this context, the objective of the invention is to provide a method capable of controlling the access to the memory and of restricting access to authorized modules only.